CVE-2021-37136

Summary

CVE	CVE-2021-37136
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-10-19 15:15:00 UTC
Updated	2023-11-07 03:36:00 UTC
Description	The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Risk And Classification

Problem Types: CWE-400

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Tinkerpop	3.5.0	All	All	All
Application	Apache	Tinkerpop	3.5.1	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Application	Netapp	Oncommand Insight	-	All	All	All
Application	Netty	Netty	All	All	All	All
Application	Oracle	Banking Apis	19.1	All	All	All
Application	Oracle	Banking Apis	19.2	All	All	All
Application	Oracle	Banking Apis	20.1	All	All	All
Application	Oracle	Banking Apis	21.1	All	All	All
Application	Oracle	Banking Apis	All	All	All	All
Application	Oracle	Banking Digital Experience	18.1	All	All	All
Application	Oracle	Banking Digital Experience	18.2	All	All	All
Application	Oracle	Banking Digital Experience	18.3	All	All	All
Application	Oracle	Banking Digital Experience	19.1	All	All	All
Application	Oracle	Banking Digital Experience	19.2	All	All	All
Application	Oracle	Banking Digital Experience	20.1	All	All	All
Application	Oracle	Banking Digital Experience	21.1	All	All	All
Application	Oracle	Coherence	12.2.1.4.0	All	All	All
Application	Oracle	Coherence	14.1.1.0.0	All	All	All
Application	Oracle	Commerce Guided Search	11.3.2	All	All	All
Application	Oracle	Communications Brm - Elastic Charging Engine	All	All	All	All
Application	Oracle	Communications Brm - Elastic Charging Engine	12	0.0.5.0	All	All
Application	Oracle	Communications Cloud Native Core Binding Support Function	1.10.0	All	All	All
Application	Oracle	Communications Cloud Native Core Binding Support Function	1.11.0	All	All	All
Application	Oracle	Communications Cloud Native Core Network Slice Selection Function	1.8.0	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.15.0	All	All	All
Application	Oracle	Communications Cloud Native Core Security Edge Protection Proxy	1.7.0	All	All	All
Application	Oracle	Communications Cloud Native Core Unified Data Repository	1.15.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Instant Messaging Server	8.1	All	All	All
Application	Oracle	Helidon	1.4.10	All	All	All
Application	Oracle	Helidon	2.4.0	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.48	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.57	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.4.0	All	All	All
Application	Quarkus	Quarkus	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] [DLA 3268-1] netty security update	MLIST	lists.debian.org
[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3		lists.apache.org
[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3		lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Debian -- Security Information -- DSA-5316-1 netty	DEBIAN	www.debian.org
[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3		lists.apache.org
[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations		lists.apache.org
February 2022 Apache Netty Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Bzip2Decoder doesn't allow setting size restrictions for decompressed data · Advisory · netty/netty · GitHub	MISC	github.com
[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

181469 Debian Security Update for netty (DLA 3268-1)
181471 Debian Security Update for netty (DSA 5316-1)
182068 Debian Security Update for netty (CVE-2021-37136)
199574 Ubuntu Security Notification for Netty Vulnerabilities (USN-6049-1)
240458 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 7 (RHSA-2022:4918)
240459 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 8 (RHSA-2022:4919)
240925 Red Hat Update for Satellite 6.12 (RHSA-2022:8506)
376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)
960485 Rocky Linux Security Update for Satellite (RLSA-2022:8506)
980258 Java (maven) Security Update for io.netty:netty-codec (GHSA-grg4-wf29-r9vv)